cancel
Showing results for 
Search instead for 
Did you mean: 

How to STOP VSE FROM BREAKING ePO? Prevent modification of McAfee Common Management Agent files and settings Action blocked: Create

I am trying to install and configure both VirusScan Enterprise 8.8 and EPolicy Orchestrator on a new Windows Server 2008 R2 SP1 machine located in a DMZ. So consequently I've got firewalls between the client and the ePO server. But first things first, why (apparently) is my VSE client blocking ePO communications? I've disabled the Windows Firewall to see if I can punch through, but no luck. I may have blocking going on on the network firewall, but other communication goes through, so right now I'll assume it is open. Because VSE appears to be blocking ePO. Why?

Contents of Agent_Monitor.log:

Framework Service 1/27/2016 3:36:49 PM Error Agent failed to communicate with ePO Server

Framework Service 1/27/2016 3:36:13 PM Info Agent is connecting to ePO server

Framework Service 1/27/2016 3:36:13 PM Info Agent communication session started

Framework Service 1/27/2016 3:36:13 PM Info Agent is sending PROPS VERSION package to ePO server

Framework Service 1/27/2016 3:36:13 PM Info Agent started performing ASCI

Framework Service 1/27/2016 3:36:12 PM Info Collecting Properties

Framework Service 1/27/2016 2:57:48 PM Info Next collect and send properties in 59 minutes and 21 seconds.

Contents of AccessProtectionLog.txt:

1/27/2016 2:57:10 PM Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\MACMNSVC.EXE C:\ProgramData\McAfee\Common Framework\db\macmnsvc.db-journal Common Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settings Action blocked : Create

1/27/2016 2:57:16 PM Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\MACMNSVC.EXE C:\ProgramData\McAfee\Common Framework\db\macmnsvc.db-journal Common Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settings Action blocked : Create

1/27/2016 2:57:21 PM Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\MACMNSVC.EXE C:\ProgramData\McAfee\Common Framework\db\macmnsvc.db-journal Common Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settings Action blocked : Create

1/27/2016 3:36:07 PM Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\MACMNSVC.EXE C:\ProgramData\McAfee\Common Framework\db\macmnsvc.db-journal Common Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settings Action blocked : Create

1/27/2016 3:36:12 PM Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\MACMNSVC.EXE C:\ProgramData\McAfee\Common Framework\db\macmnsvc.db-journal Common Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settings Action blocked : Create

What steps can I take to confirm that VSE is not the cause of the problem here?

5 Replies

Re: How to STOP VSE FROM BREAKING ePO? Prevent modification of McAfee Common Management Agent files and settings Action blocked: Create

As a follow-up, I found the documentation about what ports need to be opened through the firewalls (https://kc.mcafee.com/corporate/index?page=content&id=KB66797). I'm having my network guys confirm those ports are open. But the logged errors by VSE above still concern me.

Thanks.

Re: How to STOP VSE FROM BREAKING ePO? Prevent modification of McAfee Common Management Agent files and settings Action blocked: Create

Digging into this, I found a similar problem described in KB81232 with a proposed work-around solution referencing KB56502. I updated the Access Protection Rule "Common Standard Protection" by adding C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\MACMNSVC.EXE to the "Process to exclude" list.

I then re-ran "C:\Program Files (x86)\McAfee\Common Framework>cmdagent.exe /p" to contact the ePO server and become a managed workstation. That gave the expected message "2016-01-28 13:17:34.327 cmdagent(3748.3752) cmdagent.Info: Properties collect and send command initiated by cmdagent."

Just to be sure, I restarted the server.

After restart I noted that the taskbar icon for McAfee had changed from the silver/red "M" shield to the VSE red/blue "V" shield. Which was not an expected result. Not sure that it means anything. On a different DMZ host I am configuring identically to the above, the silver/red "M" shield process is UpdaterUI.exe, so I ran that program from C:\Program Files (x86)\McAfee\Common Framework\x86 and the taskbar icon became the silver/red "M" shield again. (This gives me access to the McAfee Agent Status Monitor). Odd behavior.

Looking at the AccessProtectionLog.txt file, I find that although I have updated the exclusions per the KB noted above, the following is still present!!

1/28/20161:22:14 PMBlocked by Access Protection ruleNT AUTHORITY\LOCAL SERVICEC:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\MACMNSVC.EXEC:\ProgramData\McAfee\Common Framework\db\macmnsvc.db-journalCommon Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settingsAction blocked : Create

Re: How to STOP VSE FROM BREAKING ePO? Prevent modification of McAfee Common Management Agent files and settings Action blocked: Create

I also consulted KB84087 and KB73080 (the latter being the most well-written and understandable discussion). Still, no joy.

Re: How to STOP VSE FROM BREAKING ePO? Prevent modification of McAfee Common Management Agent files and settings Action blocked: Create

Answered:

With some assistance from friendly Intel/McAfee technical support I have solved this issue.

1) I was editing the wrong Rule within the On Access policy. There are several rules per each policy and the GUI opens at the top of the list. I did not realize this and did not scroll down to select the correct Rule to be updated. ID10T PBKC

2) Once I overcame item 1) then successfully edited the correct rule, adding the full program path to the exclusion list. Although this is apparently not documented clearly, the support technician explained "IMPORTANT: When specifying processes to exclude, you must specify a process name only and not the full path to the process. It is not supported to specify full paths to processes. If you do so, there is no guarantee the exclusion will work. Some McAfee default rules contain full path exclusions for processes, but these are special case scenarios that are hard coded to work successfully."

3) Initially I edited the exclusion list, adding only MACMNSVC.EXE, at the top of the list of existing exclusions. I applied and save my edit. It appeared to disappear! I assumed my edit was being somehow denied. Then I noticed that VSE sorts the list for display, and although edited at the beginning, the entry is somewhere halfway down the jumble of entries in alphabetical order.

4) Although my client was not yet connected to ePO (because it is isolated in a DMZ) the On Access policies will eventually be wiped out by ePO centralized policy distribution. This will be true after I get my network guys to open necessary ports in the firewall. At that time I will update ePO with the MACMNSVC.EXE program exclusion.

Re: How to STOP VSE FROM BREAKING ePO? Prevent modification of McAfee Common Management Agent files and settings Action blocked: Create

Sorry, meant to say "Access Protection" Categories have multiple Rules (not Rule within the On Access Policy). Can't seem to edit my original posting to clean this up.